Rootkits vs

By Larry Seltzer  |  Posted 2005-12-16 Print this article Print

. SIS: And the Winner Is..."> So would it work? It would and it wouldnt. Clearly SIS can monitor and flag what it claims it can, but I am more concerned with false positives and the credibility of the system.

A system like SIS cannot work as hardware alone; the protections it needs to employ require a deep understanding of the operating system and certain external, trusted programs one would choose to protect.
The SIS monitoring needs to be activated on those areas of memory, and the areas will differ with different operating systems (the SIS papers make clear that the technique is not platform-specific and should work as well with Linux as with Windows).
Even different versions of Windows, perhaps even different patch levels, will require updates to the use of SIS. In fact, use of SIS probably needs to be embedded in the OS itself.

And yet, sometimes the techniques used by rootkits, or something close enough to those techniques that SIS couldnt tell the difference, are employed by legitimate add-on programs, for example, unsurprisingly, security programs themselves. Such programs, and not to mention Windows, update themselves periodically.

So how is the SIS system to know what is a legitimate, trustworthy operating system or 3rd party component, and what is an attacker? Perhaps when requesting protection through SIS a challenge could be issued to the user, and here we enter the familiar realm of social engineering:

User pops in new music CD from our pals at Sony BMG; Software Autoplays and installs; since its smart, modern software, it registers itself with the SIS system; User is asked "do you actually trust this thing and want to let it install? User does want to let the program install, and so says yes.

Where are rootkits coming from? Click here to read more. Its a cynical example, but I think it raises the realistic point that Intels proposal, at least with respect to rootkits, doesnt get you around the issue of trust. Certain programs have to be trusted generally in the system. Most users want to be able to install new programs (were talking consumers here, not businesses where IT should control what gets installed), and most users are not qualified to judge what is a trustworthy program. So what have we accomplished?

Ill go one step further and say, once again with respect to rootkits, that this sort of protection doesnt eliminate the need to do other checking of the sort performed by tools from F-Secure and Sysinternals.

People argue over what the best way is to detect rootkits. Right now I suspect it is tools like the ones I just mentioned. Of course, a rootkit might try to interfere with tools like these too, so perhaps SIS could be helpful in protecting them, and that would be valuable. But dont count on SIS to stop a rootkits in and of itself.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel